Skip to main content

Heimdall Bogus Subscribers Attack Incident

  • Happened from 2023-07-30-2023-08-01, or something like that
  • Bunch of bots started to sign up for Simplified Chinese, like 300 people
  • Felt great, yeah, here we go
  • So I moved forward with the Project Naroo migration, added new languages
  • Now I got a bunch of people signing up for ta Tamil. Like 40 people
  • Something was weird.
  • One thing in common was that both lists that got tons of subscribers were the last list on Listmonk.
  • Seemed like an attack of some sort. I tried emailing a handpicked few, but none replied.
  • The emails were very authentic-looking, though. So it took a lot of work to tell which one was bogus or not.
  • So I tried adding an empty list and explicitly said "do not subscribe" on the list. Sure enough, a bunch of people still signed up. Look at these messes. Also, don't they look so authentic?
  • BB6677.png
  • One odd thing was that usually when a subscriber signs up for Heimdall, the name field was the handle from the email company. These bogus subscribers had something like UUID.
  • Anyways, so I had to inspect all subscribers and batch-delete 400 subscribers.
  • Also, blocked public subscription page.
  • Under Attack? Spike in Bot Users · Issue #1413 · knadh/listmonk
  • Why did anyone do this?
  • I am not sure, but one thing for sure is that now I got a warning from AWS. A competitor in the space?
  • 2F4DFC.png